With the subject of GDPR finally hitting mainstream news, BBC Radio 5 Live presenters Sean Farringdon and Rachel Burden interview the Deputy Information Commissioner, Steve Wood on the imminent Data Protection Regulation changes.
We’ve highlighted some of the main points of discussion for you, and you can watch the interview recording at the bottom of the page.
The regulations set out in the current Data Protection Act 1998 applies to organisations of all sizes that store, collect and share personal data. This includes the new and updated rules of the General Data Protection Regulation.
That said, Steve Wood told BBC Radio 5 Live that micro businesses that are doing straightforward things with personal data should keep their approach to GDPR just as simple.
The main points organisations need to understand are:
In response to a listener’s question about his small business and if he is able to retain the email addresses of his clients, Steve Wood, the ICO’s Deputy Information Commissioner said:
“If (he) already has an existing relationship with his clients and he is selling them services or goods, and they have already purchased things from him, then the law allows that relationship to continue. In that situation it is likely that (he) can continue to send marketing information to those members of the public he is serving and there shouldn’t be a problem there.”
Mr Wood says that if the data is required in order for the business to operate and contact their clients, then they can keep that information. The organisation’s “need and purpose” to keep that data should be easily described and demonstrated.
“The new law isn’t about disrupting important things that businesses need to do.”
Organisations should pay particular attention to email lists, for example, where they don’t know where or how they obtained them. In this situation, lists should be cleaned and where appropriate new opt-ins should be obtained.
The GDPR covers all possible permutations of how personal data can be used. This includes post, which is known as Direct Marketing.
‘Nuisance’ cold calls and text messages are covered by the Privacy and Electronic Communications Regulations (PECR) that works side by side with the Data Protection Act. The GDPR gives the Information Commissioner’s Office greater power, with higher fines awarded to the worst offenders.
A tailored hands-on session based on your needs and goals
We started off using spreadsheets and it was a nightmare. With the ISMS.online solution, all the hard work was made easy.
Security measures should be put in place when your work requires you to take documents or devices that hold personal data home with you. Policies should take into account the following:
Albeit a surface scratcher of GDPR, the BBC Radio 5 Live interview did highlight the fundamentals of an organisation’s personal data responsibilities.
It is a requirement to have a clear privacy notice in place that is integrated into your website, email and other marketing channels – Essentially, giving your customers ample opportunity to see it, understand it and accept it.
Be sensible with personal data. Can this individual or organisation reasonably expect to hear from me? Did they give me consent to market to them? Have I asked them to opt into my marketing communications?
If you can confidently answer yes to those questions, are you just as confident that you can demonstrate that fact?
Want a simple joined up way of getting that done?
100% of our users achieve ISO 27001 certification first time